"Steve Marquess" <marqu...@openssl.com>wrote on 01/27/15 09:18: Thank you (and Tom) for your comments - much appreciated.
> Tom Francis nailed the answer to this one. We did design the FIPS module > + "FIPS capable" OpenSSL combination to make it possible to have a > system wide "FIPS mode" capability, but that presumes that the system > maintainer (i.e. OS distribution maintainer) has done the review and > modification of each application that uses cryptography to make sure it > is compatible with the many restrictions of FIPS mode. Yes, I understand the concern. Does this mean that the FIPS checks will be done today on OpenSSL library startup w/o the need for an application to use FIPS_mode_set() ? I'm asking since the OpenSSL FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and FIPS_selftest()). Might have to do with your comment below. > That is indeed the assumption: that commercial versions of RH and SuSE > have modified all impacted OSS applications to operate in FIPS mode. If > they haven't they are deceiving their customers and the U.S. government. I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though. > Please read the first two sentences on that web page, right at the top. OK! Regarding the second sentence :) ... what is the current status ? Is OpenSSL transparently executing FIPS checks when in FIPS mode ? And, why would there be any validation (as opposed to functional tests) to be done since these checks are the same as they were before I presume, just done automatically this time around. Regards. _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users